In the prior art, a method for determining unauthorized activity has been proposed, in which a communication by a terminal connected to a network is compared with a previously held pattern, an evaluated value indicating an extent to which it is inferred that the terminal is used, to conduct unauthorized activity is specified, together with a phase of unauthorized activity, in accordance with the comparison result, and it is determined whether or not the terminal is used to conduct unauthorized activity, based on a maximum value of the evaluated value for each phase (see the specification of Japanese Patent No. 6097849).
Furthermore, various technologies for detecting an attack on a system and classifying the detected attack have been proposed (see the specifications of U.S. Pat. No. 9,565,208, Japanese Patent Application Publication No. 2008-152773 and WO 2016/038662).